Expert advice on cybersecurity, cybersafety and cybercrime. Using real incidents, I explain why cyber risks occur, what form they take, and how they affect cybercitizens as individuals, employees, citizens and parents. Opinions expressed in this blog represent my personal views

Pages

Tuesday, July 30, 2013

A troll's main objective is to intentionally lure a victim into a pointless or
annoying discussion by responding to rude questions or statements. The troll
amuses himself while the unsuspecting victim is emotionally riled up.

The anonymous
quote “Never argue with an idiot. They will drag you down to their level, then
beat you with experience” represents the soundest advice when dealing with an
Internet Troll.

Remain calm
and civil; if you lose your temper, the troll wins.The troll may alert other trolls to join
together to harass the victims. Assume the perpetrator is having a bad day and
respond as such. A few good words cost nothing but are priceless.

If this does
not work then ignore or better still block the person and if the comments cross
the line of civility then report it to the police.

Sunday, July 28, 2013

ATM skimming
is a form of low value financial fraud, wherein cyber crooks clone ATM cards
using an ATM Skimmer; a device which is attached onto an ATM to capture a victims
magnetic stripe data and pin.

In my Best
of the Web Cyber Safety Videos we pay tribute to an
informative video by the Queensland Police Department on ATM Skimming and what
could be done to detect tampered ATM. If this video fails to appear for the lack of shockwave or flash
support in your browser. Go to YouTube " Fiscal the Fraud Fighting Ferret: Episode 3 - ATM
Skimming
"

Saturday, July 27, 2013

In India, the
use of the Internet and Social Networking is predominant among the more literate
middle classes, and it is quite unlikely to find semiliterate domestic helps
using Facebook. Therefore, it was with a great degree of shock and trepidation
that a retired couple and their adult children woke up to Facebook friend
requests from a crook who stole Rs 25 Lakhs (50,000 USD) from their home, after
sedating them with a spiked sweetmeat.

Reclining comfortably
on a double bed in a white vest, the thief appeared to mock their efforts to
track him down. He was quick to change his phone SIM card to prevent the police from
tracing him, and seems to be able to procure SIMs without ID’s or using fake ids. The
thief’s attempt caught the eye of the local newspaper that promptly splashed
the article on its front page, with his photograph.

Catching the
eye of the people and the public mocking of law enforcement efforts to track
him will narrow his chances of escaping the noose of the law. Use of
information technology always leaves a trail of breadcrumbs, and I would not be
surprised if our cyber cops are hot on their scent.

Out of
curiosity, I did a little digging of my own to find out what type of person he
was, his friends and his posts. It was not without surprise that the thief and
his friends were clueless about the privacy settings on FaceBook and their
default settings allowed public access to all their profiles.I was not motivated to undertake an in-depth
study of this information, but the little I saw convinced me that there was
quite a bit going on. Quite a few profiles appeared to be ofgay’s openly soliciting sex, other thieves
posting that the law was after them, and perhaps a few educated people who must
be ashamed that they can be seen on his friend list.

The thief
also has set-up three profiles under the same name with a different set of
friends, and posts in English. In India, a person who can write and speak in
English, a second language would have had a school education. The use of computers,
internet and Facebook indicates a fair amount of literacy.

The daily
described the thief as a computer savvy domestic help, but it seems more likely
to be a case of an educated professional thief posing as a domestic help.

Either way,
it seems more important to set our privacy settings on Facebook to prevent
people other than our friends from viewing our timelines and making our posts
readable to an extended set of friend of friends, restrict information on
wealth and travel, and not accept strangers as friends.

To be a
friend with the crook on Facebook is a sure blot on one's reputation bringing along undue attention from other friends, the law and employers.

Wednesday, July 24, 2013

The word
“online censorship” conjures images of a autocratic government enacting laws to
curb a netizens online freedom of speech and expression. The slightest mention
of the phrase instantly raises the hackles of interest groups, hacktivists and many
Internet users.

In the midst
of the polarized debate on free speech, the rationale behind Internet
Censorship and on whose responsibility it lies is left unquestioned.It is assumed that censorship is from
governments and cyber citizens have no role to play in it. This notion is
flawed as censorship by cyber citizens is urgently needed to control abusive
and inappropriate content by other cybercitizens. The unattractive alternative is
to be policed by the government or law enforcement using loosely defined laws,
which are subject to misuse.

Cybercitizens
can censor in two ways.

Firstly, by
instantly and collectively reprimanding objectionable online comments made by
cyber bullies, trolls, racists and fanatics as and when they write such posts.
Cybercitizens cannot remain mere bystanders and have to step in to actively
demonstrate that such behavior is not appreciated. Cyber citizens must own the
responsibility to evolve and build an ethical online social order based on a
collective consciousness; one, which can be taught in school and passed to the
next generation of digital users.

Secondly, the
institutions that collect, store and disseminate user generated contents such
as social networking platforms and websites must be coerced to actively
implement measures to reduce net anonymity, filter objectionable content, and
remove hateful ideology by acting on reports by net users. Most of these sites
do not play a role in moral or ethical policing and remain protected by laws
which pass on the accountability to users. Many of whom, are anonymous or even
in other countries where they are safe from prosecution. Free online platforms
sustain themselves and their stock valuation by being able to mine a user’s
behavior for ad revenue. This motive allows them to be lax on an individual’s
security, privacy and tolerant to a wide range of content. Even today, any user
can build a fictitious profile on almost all such sites.

Cybercitizens
can encourage such sites to pay attention, take action and to be transparent on
actions taken on reported abuse, by publicly showing disapproval on the sites
forums and blogs and prodding their respective governments to enact stringent
laws for content management.

Tuesday, July 23, 2013

Wikipedia
defines a troll as “someone who posts inflammatory, extraneous, or off-topic
messages in an online community, such as a forum, chat room, or blog, with the
primary intent of provoking readers into an emotional response or of otherwise
disrupting normal on-topic discussion”

The main
objective of a troll is to intentionally lure a victim into a pointless or
annoying discussion by responding to rude questions or statements. The troll
amuses himself while the unsuspecting victim is emotionally riled up. Trolls
have their own online troll communities where they boast of their exploits and
rant on sites that have banned them.

Trolls use
anonymous identities and create long term elaborate fictitious profiles not
simply in name but in role, age, disability and sex. Some may be outright rude;
others may act subtly to ruin the online experience of others posing as a
newcomer deliberately making silly errors on a multiplayer game or on use
groups asking stupid questions to derail discussions. The troll has very little
accountability and acts online in a manner he never would in real life.

A troll works
by casting baits, making provocative statements on RIP pages, blogs, Youtube,
chatrooms, forums, and message boards, waiting for a victim to bite the bait
and respond. If the bait is picked up, the troll then begins a vitriolic
discussion with the victim. The Troll is always a winner, having nothing to
lose and all to gain. The victim is always a loser.

Trolls are
usually an online nuisance but there are instances when Trolls cross the line
of rude behavior to criminality. This happens, when trolls post death threats,
cyber bully, publish phone numbers of decent women for sex chats, or post fake
advertisements for sale of goods online.

Why do people
troll? Sometimes to settle personal vendetta’s or further a political agenda,
but in a large number of cases, trolls have no agenda except to derive sadistic
pleasure or to relieve real life frustration on strangers. Trolling could be the
outcome of poor social skills, bad behavior, and lack cyber ethics or according
to physiatrists a mental illness which needs treatments.

Monday, July 22, 2013

LuciusonSecurity
recently took the fifth place in the uKnowKids Parenting Blog of the Year
Contest. uKnowKids is a company which helps parents monitor their children online
to protect them from cyber risks. The product helps parents review their children’s
social network to identify predatory intentions, cyber bullying and to be
informed of new online friends.

As part of the
prize, uKnowKids has been kind enough to offer you, dear reader, 25 totally
free, year-long uKnowKids Premier accounts (social,
mobile and location monitoring) -- you won't even have to put in a credit card!

Sunday, July 21, 2013

The digital
medium allows teenagers to use mobile devices and computers to send sms’s,
mms’s, posts, tweets, pictures, chat and to write blogs. Teenager’s set-up
social networks with friends, acquaintances and even strangers using social
networking platforms like Facebook, twitter, and MySpace. Writing a post online
is akin to shouting in a room full of friends.When rumors, gossips or something hurtful is said about another, in a
spate of anger, envy, or fun, it may trigger a mob reaction where the bully is
actively cheered on by others in the online room emotionally scarring the
victim.

In my Best
of the Web Cyber Safety Videos, we pay tribute to a
video which explains cyber bullying. If this video fails to appear for the lack of shockwave support
in your browser. Go to YouTube “Cyber Bullying
Virus
"

Thursday, July 18, 2013

In a small US town, students mourned the untimely death of
two of their popular teenage schoolmates in a car crash. Condolences poured in
on an online memorial page for the two girls.

Within, twenty-four hours, a man named Carlos issued a dire
warning on the RIP page.

“My
father has three guns. I'm planning on killing him first and putting him in a
dumpster.”

“Then
I'm taking the motor and I'm going in fast. I'm gonna kill hopefully at least
200 before I kill myself. So you want to tell the deputy, I'm on my way.”

“Stop it”
responded an indignant Miss Phillips, a school teacher.

To which Carlos replied “You have been chosen tomorrow at school to receive 1 of my
bullets. The doctors will have to unscrew the bullet from your skull !@$#.”

He added: “I'm killing
200 people minimum at school. I will be on CNN.”

The little town had never experienced dire threats before. Cell
phones rang noisily as worried parents called the school, police and other
parents fearing for the safety of their children. Local authorities rushed in reinforcements
and immediately locked down all the schools in the area. Half of the 6000
students stayed at home behind locked doors. Armed guards patrolled the corridors,
and checked the school bags of every pupil. There was muted conversation in the
hallway as children walked consciously to their classrooms. Nervous teachers
taught to sparsely populated classes. Everyone
was on the edge. Two months ago in another school not far away 20 children and
six adults were shot dead by another student.

Tuesday, July 16, 2013

Governments are
spending up to half a million US dollars to stock up cyber arsenals with zero
day vulnerabilities. Zero day vulnerabilities are not found by specialist firms,
but by individual or small groups of security researchers.

Security
researchers currently report vulnerabilities to product firms under responsible
disclosure norms who fix such flaws before they are published. Product
companies do not monetarily incentivize security researchers to report vulnerabilities;
instead they offer a mention or appreciation on their web site. Bug bounty
programs to motivate third party researchers to find and report bugs have payouts
ranging between five to twenty thousand US dollars.

Hawking zero days
to governments requires that these flaws are kept alive and not reported to
product companies. Such flaws remain discoverable to others, including cyber
criminals who use them to target enterprises for financial and ideological
gains.

Exorbitant payouts
and an opportunity to sell a single zero days to multiple governments will increase
the number of security researchers who specialize in this trade. Product
companies are forced to be vigilant, and safeguard against employees who
deliberately introduce software backdoors, in collusion with grey market
operators.

Sunday, July 14, 2013

Today, we pay tribute to a fascinating video of an ABC News Nigerian Scam Documentary filmed in 2006 but remarkably relevant in 2013. If this video fails to appear for the lack of shockwave or flash support in your browser. Go to YouTube " ABC News Nigerian Scam Documentary " at http://youtu.be/Q0e-pPfITts

Cyber bullies use social networks to post pictures, write comments and create tags which may be mean, hurtful, or threatening to their victims. As social networks are inherently designed for collaboration, a bully’s comment rapidly circulates among others members of a group who may further comment on or like the post. When they do, it automatically adds credibility to a bully’s action lowering a victim’s self esteem, and bringing in a sense of isolation and depression.

Thursday, July 11, 2013

I am
privileged to have such a great set of supportive readers. I started this blog
two years ago and at that time could not have imagined that my passion would eventually
lead to my writing of over 200 posts and publishing one widely read book
“StaySafe CyberCitizen”. When I look back, I see not the start, but the road on
which I must continue to walk upon with better ideas, innovation and content.

Wednesday, July 10, 2013

What you post
online remains online? Occasionally, these posts transcend the thinly veiled
line of bad humor into the threats Americans fear most; shootings in school and
terror attacks.Catching the attention
of the law, these words haunt their teenage authors in dark and lonely prison
cells where they wait out their sentences.

In India, the
line is crossed when politicians feel defamed or religious communities have
their sensitivities offended. Posts that criticize politicians never fail to
instigate mobs of vigilante party workers.Two girls who wrote and liked a banal post attracted the wrath of
overzealous party men and police officers who quickly filed criminal charges.
Petitions, media outrage and an alert Indian judiciary fuelled quick justice in
a country where cases can languish for years, making the girls instant
celebrities of free speech.

As I read the
passionate appeal of an American father whose son lies imprisoned for posting a
threat to shoot kids at his school, it struck me how difficult it was to
accurately preempt a crime from an interpretation of an online comment. The
parents and boy argue that the comment was innocent and nothing more than a
trashy rap line written in haste after a tiff with another online video gamer.
The law thought otherwise.

Threats of
death or harm from cyber trolls and cyber bullies are more common. Coming
from strangers and friends alike, these comments create feelings of anxiety,
depression, and isolation among teens.

Drawing the
line on gross misdemeanors on social networks requires a tolerant and
compassionate judiciary, police, parents and teachers. Institutions that must
balance soft alternatives such as awareness, education, warnings and community
service with the stricter punishment of jail sentences.

Milder posts,
which do not attract much attention, may however haunt children when they apply
to schools or for a job or even in their relationship with teachers. In a
recent survey, 53%of teens reported posting something online which they
subsequently deleted for being mean or disclosing personal information about
themselves.

Monday, July 8, 2013

Earlier this
month, the Electronic Frontier Foundation filed an appeal against the 41 month
conviction of Andrew “Weev” Auernheimer, who along with a colleague exploited a
hole in AT&T’s public website to siphon of 114,000 email addresses of
AT&T’s ipad customers. Andrew erred in sending these email addresses to
“Gawker” which published a few of them, prompting an investigation. Andrew was charged
with identity theft and felony under the Computer Fraud and Abuse Act of 1986
(CFAA). Andrew’s colleague who wrote the script the “iPad 3G Account Slurper”
which extracted the email addresses pleaded guilty and was not sentenced.

On June 6 , 2103 mainstream Indian
media went ballistic on a blog post by a Cornell student of Indian origin who had scraped the entire ICSE Class
X and ISC Class 12thresult
off an online website, and analyzed the marks distribution. Luckily for the
student, neither the 1, 50,000 students or the council of Indian School
Certificate Examination (CICSE) board filed a case. The hacker fortuitiously did not
disclose the data online as Andrew did.

In both these
events the hackers claimed in defense that their act could not be equated to a
hack, as they scraped data that was publicly available for anyone with
reasonable technical knowledge. Notwithstanding, that in both these cases a
script was written to extract bulk data, using randomized inputs.

There are
security professionals and firms who test a company’s websites without
authorization and utilize found vulnerabilities as a sales pitch. This practice
prevalent in the early days of the dotcom era was acceptable to firms, who did
not spend money in routine security assessments, as the largest risk was
website defacements. At that time, amateur hackers were a nuisance to business,
nothing more. Nowadays, the risk and benefits of cyber crime are far bigger and
it is difficult to distinguish between well meaning professionals and crooks.

Should this
practice be encouraged? I believe not. Should people like Andrew Auernheimer or
Aaron Swartz be punished severely? I believe not. This is where an informed
and aware judiciary has to draw the line. In first instance of new forms of crime,
sentences are handed out to set an example.This in my view is unjust to the person who was caught first, as others
who follow may be more fortunate.

On a similar
note, people and companies who do not take steps to protect their net infrastructure
and customer data should be penalized. The fault for not using an encrypted
wifi or not changing the wifi default password or for not using an update
antirust or patching a computer should squarely rest on the owner, as its
impact can have consequence for other people, firms or even national security.

Product
vendors have found a way to motivate security researchers through legitimized
bug finding through bug bounty programs. Bug bounty programs offer a bounty,
which may be up to 1,00,000 US$ for every security bug found and disclosed
responsibly. Responsible disclosure allows the product vendor time to fix the
vulnerability before public disclosure. Such programs are unsuitable for
companies and unauthorized non professional testing has the ability to create
site outages.

Saturday, July 6, 2013

Fake
passports rackets are rampant in most parts of the world that depend on
photographs as the principal form of identity proof. Aside from their use as a
travel document, passports are an authentic source of citizenship in countries
like India which do not have a national identity card.

Falsified
passports are used for escape into exile, identity theft, age deception,
illegal immigration, and organized crime. Passports are therefore sought after
by immigrants from Bangladesh, those seeking low skilled foreign jobs,
terrorists, criminals, and convicts fleeing from the country. Terrorists need
to circumvent immigration laws and law enforcement "watch lists" to
travel internationally in order to raise funds, recruit operatives, train the
operatives and send them out to plan and conduct terrorist attacks.

Gangs that specialize in forged passports
offer a wide range of services which include arranging a fake passport,
replacement of photographs in the passport, fake visa, fake ECNR and even
forged arrival/departure stampings. Passports are prepared in three ways:
getting genuine passports using fake documents and bribes, physically alter a
valid stolen passport by replacing pages/photographs with fake ones and
fabricating passports.

Many of the
passport rackets are in active connivance with corrupt passport, government and
police officials who charge between Rs 20,000 to Rs 50,000 for each passport.
The number of passports seized during each raid is in their hundreds which
points to a significant demand for forged documents.

A Google
search for passport rackets unearthed in India shows the scam to be prevalent
in every major city. The most prized passport is a genuine one issued in a fake
name as shown in this live new report of a recent bust in the northern Indian
city of Kanpur. This weakness in our countries primary source of reliable
identification is truly worrisome. It will continue to remain so, until
the Aadhar program for biometric identification for all Indians is fully
operational and used by government departments like immigrations and banks.Click to watch the clip on youtube at http://youtu.be/QfiFCLwwlyM .

Interestingly the scam seems to be going online. An investigative article on the Russian cybercrime underground describes a Do It Yourself site for passports and other credentials. The web site promises a quick set of documents at a slightly lower quality and price. Many of these online solutions are actually scammers who believe that there is a quick buck to be made.

Passports are not the only documents that are fabricated and available for a price on the market. Other documents like pan cards, birth certificates, educational certificates, employment certificates are all available for a price. Besides fake credentials there have been instances of bogus universities set-up only for the purpose of issuing degree credentials and the hiring of substitutes to sit in for entrance examinations of prestigious colleges.

Thursday, July 4, 2013

Russell
Crowe, the Australian actor best known for his role as Roman general Maximus
Decimus Meridius in the epic film the Gladiator gave his one million fans a
rude shock when a sultry picture of a women’s pubic area appeared in his
twitter feed. His public relation team claimed that his twitter account was
hacked into, and Crowe himself denied any knowledge of the pubic tweet.

Posting a
nude picture would perhaps be the silliest action by any hacker, and therefore
seems improbable. Typically hackers tweet spam links or broadcast their
achievement once a celebrity account is compromised. A good example is the very
real hack of the vivacious Lady Gaga’s twitter and Facebook accounts, to
tweet/post a fake survey link masked as an attractive free ipad giveaway
gimmick.

Whatever the
truth may be; we must ensure that no one get holds of our unattended phone and
tweets onto our twitter feed. Technically, you are hacked but by someone known;
naughty children, colleagues or an estranged partner for example. Password
protecting your phone is a useful defense.

Another intriguing
but largely improbable theory, based on the recent Chinese
incident of a technician accidentally broadcasting a porn film on public
LED screen, is of a PR manager accidently tweeting on a client’s account, while
viewing pictures on his device.

Tweet happy fingers
is a strict no no; but that advice happens to be good old commonsense not cyber
security.

Wednesday, July 3, 2013

Many
companies and organizations have charitably funded cyber security and cyber
safety videos. These well meaning initiatives have not gained the visibility
they truly deserve, as the budget for promotion of community initiatives is usually small. Yet, they hold the potential to create instant awareness.

In the best of
the web cybersecurity video’s list, I endeavor to link these brilliant videos together on
my blog and Facebook page, to help educationists, individuals and parents
easily find and use them.

Today, we pay
tribute to a fascinating video on personal online privacy for teenagers and
adults. Watch on!.

Tuesday, July 2, 2013

Well written
and tested software seems to be an idealist assumption, with sites like Skype
and Facebook failing to eliminate flaws in the components which ensure security
and privacy on their platforms. There have been two reported cases where Skype
and Facebook had their accounts hijacked by the exploitation of logical flaws
in their account set-up mechanism. The security researchers who uncovered these
flaws, smartly attempted to combine features available to set-up and reset
accounts, to gain full control over their victims account. None of these attacks
required coding knowledge or special skills and the attacker did not require the
knowledge of secret credentials to gain access to accounts; only email ids or profile
names. In both these attacks the owners of the targeted account, had no
indication that the hack was underway until they were no longer able to access
their account.

Very recently
Facebook fixed a flaw where a victims account could be hijacked using an SMS in
under a minute. The account hijack was a two step process. In the first step an
arbitrary mobile phone was associated with the targetsFacebook account, and the second step was to initiate a
password-reset process using the attackers phone to choose a new password for a
targeted account, thus giving him complete access.

These sites
have been in operation for many years, but yet were susceptible to the
introduction of new flaws or perhaps the reintroduction of old ones, as new functionality
was added. The root cause of the problem is the pressure of rapid release
cycles coupled with limited feature testing.

As a
cybercitizen, there are limited defenses to such types of flaws. Use of one
time authentication, if provided by the site enhances log in security. Another
good practice is the use of two email ids, one kept secret and used only as a
login credential and another for regular email.

Awards

About Me

Security author and passionate blogger @LuciusonSecurity writing on risks that affect Internet users such as cyber crime, defamation, impersonation, privacy and security. Working hard to reduce cyber risks to some of the world's largest businesses. Find me on Twitter @luciuslobo or Linkedin at http://in.linkedin.com/in/luciuslobo